High Level Design Proof of a 
Reliable Computing Platform 
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Research Objectives 
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Digital Flight Control Systems 














Reliable Computing Platform 














Research Objectives 



Operating System for 
Control Applications 










Application Task Characteristics 
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Architectural Concept 











Design Decisions 




Reliability model of quadruplex version of system 


bo 

5=1 




A t = transient fault rate 10~ 3 /hr) 

A P — permanent fault rate (~ 10 _4 /hr) 
p = rate of recovery from transient fault (design-dependent) 


Transient Fault Recovery 



Note inflection point on the order of one minute 



Application Definition 




Task Schedule 
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then exec(s , «, i,j 
else u.results(i, j) 



Uniprocessor Model (Cont’d.) 



u .re suit s(u. frame © 1 , j) 

Act(u, k) = < if 3 j ■ AO(u. frame © 1 , j ) 

6 otherwise 
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Replicated Processor Model (Cont'd.) 
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A Simple Fault Model 
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Definition 1 T/ie Maximum Fault Assumption /or a given /auft /uncf ion .F is tfia/u^n..? 7 ) > 

jR/’2 /or every frame n. 

.Ail theorems about state machine correctness are predicated on this assumption. 




Framework For Proving State Machine Correctness 
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Derived Correctness Criteria 
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Intermediate Assertions 
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Continuous Voting 
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Cyclic Voting 
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